[Bug 822959] New: When configuring networking with yast, using dhcp6, firewall blocks it.
https://bugzilla.novell.com/show_bug.cgi?id=822959 https://bugzilla.novell.com/show_bug.cgi?id=822959#c0 Summary: When configuring networking with yast, using dhcp6, firewall blocks it. Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: Other OS/Version: openSUSE 12.3 Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: carlos.e.r@opensuse.org QAContact: jsrain@suse.com Found By: --- Blocker: --- I'm testing a new router that has IPv6 capabilities. I enabled its DHCP6 server, but oS 12.3 did not get an IPv6, only the IPv4 one. See: rescate1:~ # ifconfig eth0 Link encap:Ethernet HWaddr 00:21:85:16:2D:0B inet addr:192.168.1.31 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::221:85ff:fe16:2d0b/64 Scope:Link <-- (1) UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4271 errors:0 dropped:0 overruns:0 frame:0 TX packets:2762 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3171265 (3.0 Mb) TX bytes:379424 (370.5 Kb) (1) thats a link local address, not one via dhcp Log:
2013-06-03T20:57:04.618453+02:00 rescate1 network[6148]: eth0 Starting DHCP4+DHCP6 client. . . . . . . . 2013-06-03T20:57:04.619896+02:00 rescate1 ifup-dhcp[6561]: 2013-06-03T20:57:04.620840+02:00 rescate1 network[6148]: eth0 IP address: 192.168.1.31/24 2013-06-03T20:57:04.621691+02:00 rescate1 ifup-dhcp[6561]: eth0 IP address: 192.168.1.31/24 2013-06-03T20:57:04.622276+02:00 rescate1 network[6148]: eth0 DHCP6 continues in background 2013-06-03T20:57:04.623284+02:00 rescate1 ifup-dhcp[6561]: eth0 DHCP6 continues in background 2013-06-03T20:57:04.702500+02:00 rescate1 network[6148]: ..done eth1 device: Realtek Semiconductor Co., Ltd. RTL8111/8168 2013-06-03T20:57:04.703128+02:00 rescate1 ifup[8861]: eth1 device: Realtek Semiconductor Co., Ltd. RTL8111/8168 2013-06-03T20:57:04.704288+02:00 rescate1 network[6148]: No configuration found for eth1 2013-06-03T20:57:04.704996+02:00 rescate1 ifup[8861]: No configuration found for eth1 2013-06-03T20:57:04.726882+02:00 rescate1 network[6148]: ..unusedSetting up service network . . . . . . . . . . . . ...done 2013-06-03T20:57:04.726903+02:00 rescate1 systemd[1]: Started LSB: Configure network interfaces and set up routing.
The openSUSE firewall blocks it! Firewal log
2013-06-03T20:57:04.158282+02:00 rescate1 kernel: [ 1675.547633] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:f8:1a:67:91:f4:22:86:dd SRC=fe80:0000:0000:0000:d0fa:c7ff:fe67:4031 DST=fe80:0000:0000:0000:0221:85ff:fe16:2d0b LEN=152 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=48629 DPT=546 LEN=112 2013-06-03T20:57:21.676291+02:00 rescate1 kernel: [ 1693.065233] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:f8:1a:67:91:f4:22:86:dd SRC=fe80:0000:0000:0000:d0fa:c7ff:fe67:4031 DST=fe80:0000:0000:0000:0221:85ff:fe16:2d0b LEN=152 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=48629 DPT=546 LEN=112 2013-06-03T20:57:56.000281+02:00 rescate1 kernel: [ 1727.389585] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:f8:1a:67:91:f4:22:86:dd SRC=fe80:0000:0000:0000:d0fa:c7ff:fe67:4031 DST=fe80:0000:0000:0000:0221:85ff:fe16:2d0b LEN=152 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=48629 DPT=546 LEN=112 2013-06-03T20:59:07.315296+02:00 rescate1 kernel: [ 1798.704924] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:f8:1a:67:91:f4:22:86:dd SRC=fe80:0000:0000:0000:d0fa:c7ff:fe67:4031 DST=fe80:0000:0000:0000:0221:85ff:fe16:2d0b LEN=152 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=48629 DPT=546 LEN=112
The port 546 is assigned to it: dhcpv6-client 546/tcp # DHCPv6 Client dhcpv6-client 546/udp # DHCPv6 Client dhcpv6-server 547/tcp # DHCPv6 Server dhcpv6-server 547/udp # DHCPv6 Server So, now, after explictly opening that port, I get it: rescate1:~ # ifconfig eth0 Link encap:Ethernet HWaddr 00:21:85:16:2D:0B inet addr:192.168.1.31 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::221:85ff:fe16:2d0b/64 Scope:Link inet6 addr: fc00::7fff/64 Scope:Global <--- correct IPv6 adres. UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4854 errors:0 dropped:0 overruns:0 frame:0 TX packets:3142 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3288751 (3.1 Mb) TX bytes:430544 (420.4 Kb) I propose that YaST ifup config should automatically or manually (or at least sugest), open that port if dhcp6 (client) is enabled. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=822959 https://bugzilla.novell.com/show_bug.cgi?id=822959#c FeiXiang Zhang <fxzhang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |yast2-maintainers@suse.de |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=822959 https://bugzilla.novell.com/show_bug.cgi?id=822959#c Steffen Winterfeldt <snwint@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|yast2-maintainers@suse.de |mfilka@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=822959 https://bugzilla.novell.com/show_bug.cgi?id=822959#c Michal Filka <mfilka@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=822959 https://bugzilla.novell.com/show_bug.cgi?id=822959#c1 Michal Filka <mfilka@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO CC| |meissner@suse.com InfoProvider| |carlos.e.r@opensuse.org --- Comment #1 from Michal Filka <mfilka@suse.com> 2013-08-28 07:51:01 UTC --- Thanks for report. Do you use default SuSEfirewall2 configuration? Is /etc/sysconfig/SuSEfirewall2.d/services/dhcp6-server existent at your machine? Do you have net device where you expect dhcp replies assigned into any zone (INT, EXT, DMZ, ...)? If yes, which one? You can check it e.g. using "yast2 firewall" -> interfaces -> Look into "Configured in" column -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=822959 https://bugzilla.novell.com/show_bug.cgi?id=822959#c2 --- Comment #2 from Marcus Meissner <meissner@suse.com> 2013-08-28 09:09:19 UTC --- this is the same issue as bug 783002 short summary: - ipv4 dhcp works through the firewall "RELATED" rules - ipv6 dhcp does not work through the firewall "RELATED" rules as we cannot match the broadcast address to the reply address. Unconditionally opening ports might be a workaround but probably should not be default. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=822959 https://bugzilla.novell.com/show_bug.cgi?id=822959#c3 Carlos Robinson <carlos.e.r@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|carlos.e.r@opensuse.org | --- Comment #3 from Carlos Robinson <carlos.e.r@opensuse.org> 2013-08-29 08:22:41 UTC --- (In reply to comment #1)
Thanks for report.
Do you use default SuSEfirewall2 configuration?
AFAIK, current changes are: Telcontar:~ # diff /other/aux_01/etc/sysconfig/SuSEfirewall2~ /other/aux_01/etc/sysconfig/SuSEfirewall2 252c252 < FW_SERVICES_EXT_TCP="546" ---
FW_SERVICES_EXT_TCP="" 266c266 < FW_SERVICES_EXT_UDP="546"
FW_SERVICES_EXT_UDP="dhcpv6-client mdns" Telcontar:~ #
and they were done after the problem was detected.
Is /etc/sysconfig/SuSEfirewall2.d/services/dhcp6-server existent at your machine?
Yep. Telcontar:~ # l /other/aux_01/etc/sysconfig/SuSEfirewall2.d/services/dhcp* -rw-r--r-- 1 root root 503 Mar 27 16:40 /other/aux_01/etc/sysconfig/SuSEfirewall2.d/services/dhcp-server -rw-r--r-- 1 root root 507 Mar 27 16:40 /other/aux_01/etc/sysconfig/SuSEfirewall2.d/services/dhcp6-server Telcontar:~ #
Do you have net device where you expect dhcp replies assigned into any zone (INT, EXT, DMZ, ...)? If yes, which one? You can check it e.g. using "yast2 firewall" -> interfaces -> Look into "Configured in" column
To look in YaST, I would have to boot into that partition, and that has to wait a bit. I can tell you the contents of the firewall file: /other/aux_01/etc/sysconfig/SuSEfirewall2: FW_DEV_EXT="eth0" FW_DEV_INT="" FW_DEV_DMZ="" Is that what you want? Or this? Telcontar:~ # cat /other/aux_01/etc/sysconfig/network/ifcfg-eth0 BOOTPROTO='dhcp' BROADCAST='' ETHTOOL_OPTIONS='' IPADDR='' MTU='' NAME='RTL8111/8168B PCI Express Gigabit Ethernet controller' NETMASK='' NETWORK='' REMOTE_IPADDR='' STARTMODE='auto' USERCONTROL='no' Telcontar:~ # -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=822959 https://bugzilla.novell.com/show_bug.cgi?id=822959#c4 Michal Filka <mfilka@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |security-team@suse.de --- Comment #4 from Michal Filka <mfilka@suse.com> 2013-08-29 09:31:26 UTC --- Yes config seems good. There is already running discussion in bnc#783002. If I understand it well, netfilter is unable to track DHCPv6 related packets. Opening firewall unconditionally is considered insecure and is not provided by default in SuSEfirewall2
From YaST POV there are two possibilities: (1) do not touch (2) enable 546/udp,tcp explicitly when dhcpv6 is enabled in services. I personally don't like this approach. I think it can cause only troubles once DHCPv6 gets properly tracked by netfilter. Also, I think that IPv6 / DHCPv6 is not so widely used to require such special approach.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=822959 https://bugzilla.novell.com/show_bug.cgi?id=822959#c5 --- Comment #5 from Marcus Meissner <meissner@suse.com> 2013-08-29 15:52:12 UTC --- I thought this is abiout the dhcp CLIENT for ipv6? Or is this about the IPv6 DHCP server? If its anbout the DHCP server, opening ports is possible. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=822959 https://bugzilla.novell.com/show_bug.cgi?id=822959#c6 --- Comment #6 from Carlos Robinson <carlos.e.r@opensuse.org> 2013-08-29 17:35:37 UTC --- What I reported originally was about the client side. The computer running openSUSE Linux 12.3 requests an IPv6 address, and does not get it because it is blocked in the firewall. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=822959 https://bugzilla.novell.com/show_bug.cgi?id=822959#c7 Marius Tomaschewski <mt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mt@suse.com --- Comment #7 from Marius Tomaschewski <mt@suse.com> 2014-05-23 07:46:49 UTC --- See also https://github.com/openSUSE/susefirewall2/pull/1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=822959 https://bugzilla.novell.com/show_bug.cgi?id=822959#c9 --- Comment #9 from Bernhard Wiedemann <bwiedemann@suse.com> 2014-05-27 18:00:23 CEST --- This is an autogenerated message for OBS integration: This bug (822959) was mentioned in https://build.opensuse.org/request/show/235571 Factory / SuSEfirewall2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=822959 https://bugzilla.novell.com/show_bug.cgi?id=822959#c10 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED InfoProvider|security-team@suse.de | Resolution| |FIXED --- Comment #10 from Marcus Meissner <meissner@suse.com> 2014-05-29 07:27:41 UTC --- trying to allow dhcpv6 input by default -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com